Black Hat USA 2015 Course Review - Adaptive Red Team Tactics from Veris Group

My employer was gracious enough to send me to Black Hat USA this year. I've known for a long time that Black Hat is the premiere conference in our industry and they most certainly have the broadest and best compendium of training on tap. Naturally I jumped at this opportunity and began considering which course to sign up for. 

There were a number of options that were extremely enticing (Dark Side Ops from Silent Break Security, Special Topics in Malware Analysis from Mandiant, Shellcode Lab, and of course the regular offerings from Saumil Shah, Dave Kennedy and many others). Ultimately I elected to take a course that would benefit me both personally and professionally in the near term.  I wanted to study something that would be challenging and interesting but that would immediately benefit me at my current job (and possibly help us to expand our business). 

Black Hat has something for everyone (across the defensive and offensive spectrum) and after considerable delibaration I decided to register for Adaptive Red Team Tactics from Veris Group. This is an interesting team in that a lot of the core members burst onto the scene a few years ago with very high skill sets and seemingly no prior social media presence or history. It's no coincidence that many of them have military backgrounds and it's easy to see that that these defence and intelligence agencies are investing in and producing extremely capable information security professionals. 

One of the issues with BlackHat is that there are very few course reviews available online. You may find the occasional critique on 'Ethical Hacker' or an independent blog such as this one but outside of that you are selecting a class somewhat blindly. This is in part my motivation for writing this post. I encourage other attendees to do the same. Ideally I would like to see BlackHat incorporate a formal community review and rating system to courses that are offered year after year (or at least instructor reviews).

The class was mainly taught by Will Schroeder and Justin Warner (with help from David McGuire and Jared Atkinson) over 2 days. Will and Justin are fairly well known on the conference circuit as they have made a lot of noise in the last couple of years due to development of their offensive oriented toolkits Veil and PowerView. I'm a big fan of both of these projects, and based on the military background I knew that these would be the ideal people to learn Red-Teaming from. Notably, Raphael Mudge (the creator of Cobalt Strike/Armitage) was also in attendance which was a huge bonus. If they continue to use this tool as the primary post-exploitation framework then I'd like to see him continue to attend as his presence and contributions felt very natural. However, Will and Justin recently debuted Empire, a PowerShell based post-exploitation tool that I feel will play a more prominent role should they continue to offer this training.

Red Teams in IT Security are somewhat of a new concept to non-governmental non-defence related organizations. The idea is that we have to go beyond Web Application Assessments, Penetration Testing, and Vulnerability Scanning in order to secure information assets and operational security. Red Teams will model advanced threat actor behaviour and embed themselves in an organization for an extended period of time. Similar to a Social Engineering project, Blue Teams (or defenders) should not be aware of the presence of a Red Team. Penetration Testing will often reveal holes in the organization, poor practices, exploitable vulnerabilities, and other valuable information. But what value does this really provide defenders? Maybe now they have a few vulnerabilities they can go and patch, a user to reprimand, and a network to segment but that hardly benefits the ongoing day-to-day defensive operations of the company. What did the individuals watching the SIEM and IPS/IDS get out of this engagement? Do they better understand offensive threat actor behaviour? Was there any qualitative or quantitative follow-up with the defenders to see if they caught anything? Were forensic artifacts provided by the penetration tester to help defenders improve? In traditional penetration testing, the answer is often simply no. There is still value in running a project like this, particularly for immature organizations who find a lot of these concepts to still be extremely foreign. But for companies that have invested heavily in security products, people, and processes, this information does not drive their security program toward maturity and evolution.

Red Teams are all about advanced threat modelling. A penetration tester will typically look for vulnerabilities, exploit a system, elevate privileges, steal credentials and take over a domain controller. This is usually the extent of the project. Oftentimes Social Engineering is deemed out of scope, an internal foothold is provided to the penetration tester, and staff are informed of the event or worse, the activity is whitelisted. A Red Team will look to model an advanced threat actor by establishing stealthy persistent backdoors, beacon out to a command and control server, spread laterally in an environment to take over as many systems and user accounts as possible, install key-loggers, peruse sensitive file shares, identify critical databases, exfiltrate data, and abuse domain trusts. This can be done using a black-box approach in which the Red Team must break past perimeters using social engineering or by exploiting external-facing systems. Other companies may elect to plant someone on the inside and provide access to assume a footprint on the internal network has already been established.

This sequence of activities closely resembles the pattern of attack employed by hackers in massive breaches seen at Anthem, OPM, Target, and Sony. If you are worried about whether your network and employees are resilient to these types of breaches, you should be validating the effectiveness of your Blue Team by throwing a Red Team at them. 

The training environment focused on separating the class into different Red Teams each tasked with attacking a network. We worked in teams of four and spent most of our time in Kali, Cobalt Strike, PowerView (a PowerShell post-exploitation information gathering tool). Metasploit is great, Meterpreter is great, and those projects have a very valid purpose but they are not effective at emulating modern adversarial TTPs.

Day 1 - After some brief introductions and biographies we looked at defining and differentiating Red Teams from standard offensive security service offerings. We talked methodology, use cases, and general business oriented knowledge. The rest of the day centred on installing Cobalt Strike, standing up a team server, stealthily profiling a target company and launching a spear phishing attack to establish a foothold.  The lab network was very well set up and reliable. Each team had their own set of systems to attack. The class was given an introduction to Cobalt Strike so that we can understand the differences between Beacon and Meterpreter, setup listeners, launch spear phishing attacks and perform other functions without constantly having to reference the Cobalt Strike manual. Raphael obviously gave great insight about how to best use his product and the Veris Group team focused a lot on emphasizing how to be stealthy and use the product to avoid touching disk and triggering alarms. 

Many students immediately resorted to well trodden offensive security methodology by running vulnerability scans and attempting to exploit the perimeter of the target environment. Veris Group had an active defender monitoring for noisy and obvious actions and took steps to IP ban or process kill teams that failed to employ stealthy tactics emphasized in the class material. Jared Atkinson (threat hunt lead for Veris Group) took the time to explain some of his defensive strategies and was primarily using tools he has helped to build (namely Invoke-IR and Uproot-IDS). This was a phenomenal aspect of the course as we were essentially forced to adopt the lecture material that had been covered in order to be successful. Moreover the theory did not feel specifically crafted for this course or environment and consequently the attack tactics felt natural and applicable to real world scenarios. 

We also looked at how to profile a company, crawl public resources for information, give context to Phishing attacks by researching social networks and company issued press releases. Emphasis was also given toward attacking weaker subsidiary organizations connected to the primary target. The instructors revealed the best ways to get a foothold on the target network (there were multiple avenues of attack as in the real world) and ensured that all teams were caught up after giving ample time for each group to launch their attacks independently.

Day 2 - Our time was primarily spent abusing native Operating System services and trusts to elevate privilege, move laterally, map domain trusts, identify sensitive users and files, exfiltrate data and establish persistence. Naturally we used Veil and PowerView to abuse service and executable permissions, scan the network for user accounts, local administrators, and interesting file shares. The instructors covered how this is nicely integrated with Cobalt Strike and introduced SMB Beacon which is an exceptional way of pivoting stealthily in an environment to compromise additional hosts. 

A lot of focus was given to explain user privileges in modern windows environments (TGT Hashes, Golden Tickets, Silver Tickets, high-integrity user context) and how that maps back to various Windows infrastructure (Kerberos, Active Directory). They also spent some time talking about Active Directory and demonstrating how their tools can be used to identify users and groups in a domain that have transitive, bi-directional or one way trusts to other domains. 

We also covered the trade-offs between PSEXEC, WINRM, and WMI when employing 'Pass-the-Hash' based attacks and talked about the importance of leaving as few forensic artifacts as possible while never touching disk. Cobalt Strike's Beacon uses reflective PE/DLL injection wherever possible and this is very impressive. There are even techniques we learned that enable us to inject an encoded post exploitation agent (Beacon) using a trusted Windows service (PowerShell) into a trusted process (LSASS). Combining this strategy while pivoting over named SMB pipes is incredibly stealthy. Anti-Virus who?

Overall I was extremely satisfied with this course. I would definitely recommend it to anyone who is looking to learn about Red Teams, threat actor methodology, or simply wants to add to their skill set. It was well presented and challenging material. The lab work was not linear or direct. It allowed for creative thinking and encouraged students to solve problems in many ways. I was exposed to new tools and feel confident using them in my job. If you work in offensive security and you aren't looking at Cobalt Strike, Beacon, PowerView, and Veil then you are missing out on a world of opportunities. The course never lost site of its goals which is to have you apply these tools and knowledge in a way that emphasizes Red Teaming over Penetration Testing. The fundamental difference is that a Red Team wants data and information while a Penetration Tester just wants privileged access.

Related Links:
https://www.veil-framework.com/
http://www.advancedpentest.com/
http://www.invoke-ir.com/
https://github.com/PowerShellEmpire/